Ticking away the moments that make up a dull day… oh wait, this isn’t a Pink Floyd forum.
In all seriousness, time is a finite resource. And for all of us in IT — and particularly in security — we’re always up against time.
Time is a critical element when it comes to asset inventory. Virtual machines and containers are spun up and deprecated all the time, and depending on when you check, the counts will be different. Devices hop on and off the network all the time, and depending on which data sources you use to track these ephemeral devices, you will end up with wildly variant answers.
Even the very characteristics of laptops and servers are changing all the time. So much so that if you aren’t collecting information from them continuously, your inventory characteristics for the device will simply be wrong.
Simply put, the rate of change of your asset inventory, including the device count, the device characteristics, and the very conditions you care to track, is very fast.
Time’s Impact on Asset Inventory
The impact of time can be found all across your inventory, from how and what is collected, to the questions you ask and the answers you receive.
When was a particular device last seen? The answer depends on the data source you ask. A device may have:
- Been scanned for vulnerability two weeks ago
- Been authenticated to the domain controller five days ago
- Received a Dynamic Host Configuration Protocol lease three days ago
- Had the EDR agent check into its management console yesterday
- Been seen chatting through the firewall two hours ago
Tracking the last seen values across an aggregate of data sources is the only way to really do comparative analysis to find conditions like active devices with broken security agents.
An Asset Inventory’s Trustworthiness is Time-dependent
Deconflicting a common field of data across multiple data sources for a single device often comes down to time. An example is the last used user of the device. The actual truth for this value is dependent on ‘and relative’ to when certain agents on the device check into and deliver a resulting answer to their respective data sources. Whichever agent provided the most recent answer is likely to be the most trusted source.
What about the device characteristics like installed software and vulnerabilities? Often intertwined, installed software and the vulnerabilities on a machine are highly dependent on both the data source and when those data sources were last updated.
The vulnerability scan data for a device from four weeks ago will obviously be different from a vulnerability result today. Similarly, endpoint management agents that run on the device are likely to provide more frequent updates about the device conditions.
The first seen, first fetch, last seen, last fetch times for each data source are all impactful factors for how many assets you have in the inventory right now. Perhaps the better questions to ask are:
- How near to real-time up-to-date is your inventory?
- How long does it take to collect the inventory data?
- What characteristics are most important to track, and how are they impacted by time?
Tracking and timelining mission specific containers and VDIs (and their respective characteristics) that have short lives requires a different collection method and cycle compared to longer lived and more permanent assets, like production servers and physical laptops.
Moreover, the data sources that have information pertaining to these different asset classes and types of devices are likely to be different, with own specific time-based elements.
Time’s Role in Using an Asset Inventory
The SOC team triaging thousands of alerts daily needs the inventory to be complete, near real-time, up-to-date, and contain the utmost context. The Windows Server team responsible for hygiene, patches, and agent deployments need the inventory to be up-to-date only when performing their less frequent tasks.
Auditors may only need to use the inventory once a quarter to ask questions about agent coverage or password change confirmation. Incident responders often need to query the inventory for device characteristics and conditions that existed in the past.
A time-based inventory is also critical for tracking and trending the progress of your patch and vulnerability management efforts as well as migrations of EDR, EPP, MDM, DLP, and UEM software from one vendor to the next.